diff options
author | Keith Holman <Keith.Holman@windriver.com> | 2014-05-22 10:34:36 -0400 |
---|---|---|
committer | Bruce Ashfield <bruce.ashfield@windriver.com> | 2014-05-23 23:58:00 -0400 |
commit | 966ba0d68d7fc4cba94e2ff1ece89ff0b6d7a95c (patch) | |
tree | cbf8110afedd71162e840a29a9bab68caa5f9655 /meta-openstack/Documentation | |
parent | 614d78e86dd10528f12adee39904ac3ec077fe5c (diff) | |
download | meta-cloud-services-966ba0d68d7fc4cba94e2ff1ece89ff0b6d7a95c.tar.gz |
add readme about barbican security issues
Using Barbican with Keystone authentication has some known
problems. Specifically, the problme is that Keystone now uses PKI
tokens, which are too long for the Barbican protocol to handle in
its current configuration. This patch delivers a readme file to
document these issues for the end-user.
Signed-off-by: Keith Holman <Keith.Holman@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Diffstat (limited to 'meta-openstack/Documentation')
-rw-r--r-- | meta-openstack/Documentation/README.barbican | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/meta-openstack/Documentation/README.barbican b/meta-openstack/Documentation/README.barbican new file mode 100644 index 0000000..59eedea --- /dev/null +++ b/meta-openstack/Documentation/README.barbican | |||
@@ -0,0 +1,69 @@ | |||
1 | Summary | ||
2 | ======= | ||
3 | |||
4 | This document is intended to provide an overview of the implementation | ||
5 | details with the current release of Barbican. | ||
6 | |||
7 | |||
8 | Limitation 1: No authorization required for retrieving secrets | ||
9 | ============================================================= | ||
10 | |||
11 | The current implementation of Barbican allows secrets that are stored using | ||
12 | authentication to be retrieved without authentication. Thus, all stored | ||
13 | secrets are available to anyone with access to the system. | ||
14 | |||
15 | An example of this, can be seen from running the following commands, using | ||
16 | the barbicanclient: | ||
17 | $ barbican --os-username admin --os-password not-valid secret store \ | ||
18 | -n mysecret -p 'top secret data' -t 'text/plain' | ||
19 | returns: a failure as the username and password are not correct | ||
20 | $ barbican --os-username admin --os-password password secret store \ | ||
21 | -n mysecret -p 'top secret data' -t 'text/plain' | ||
22 | returns: [the address retrieve the secret] | ||
23 | $ barbican --no-auth secret get --decrypt [address returned above] | ||
24 | returns: top secret data | ||
25 | |||
26 | |||
27 | Limitation 2: Integration with Keystone authentication | ||
28 | ======================================================= | ||
29 | Introduced in the Grizzly release of OpenStack, Keystone by default uses | ||
30 | PKI tokens as opposed to UUID tokens. PKI tokens are much larger then UUID | ||
31 | tokens (> 6000 bytes versus 16 bytes). Without changing the maximum packet | ||
32 | size, PKI tokens are too large to fit into a Barbican request packet. The | ||
33 | uWSGI maximum packet size has been increased to the maximum of 65355 bytes | ||
34 | (from the default of 4096 bytes) in order to support PKI tokens by default. | ||
35 | The larger PKI token size will increase the network load due to the larger | ||
36 | packets that are sent when authentication is enabled. | ||
37 | |||
38 | When using Barbican with Keystone authentication it is a known problem that | ||
39 | due to the varying length of the PKI token secret size for Barbican has no | ||
40 | fixed maximum. There are two solutions to this problem: | ||
41 | |||
42 | * Don't use Keystone authentication when storing secrets with Barbican | ||
43 | * Change Keystone to revert back using UUID tokens instead of PKI tokens | ||
44 | (See next section below for the security implications of doing this) | ||
45 | |||
46 | |||
47 | Changing Keystone to use UUID tokens | ||
48 | ==================================== | ||
49 | |||
50 | PKI tokens increase security by increasing the token size versus using UUID | ||
51 | tokens. Reverting back to UUID tokens fixes the problem described above. | ||
52 | However, the disadvantage is that you loose the security PKI tokens provide | ||
53 | to all resources that use Keystone for authentication purposes, including | ||
54 | Barbican. | ||
55 | |||
56 | To have Keystone use UUID as tokens, change the bitbake recipe | ||
57 | (python-keystone_git.bb) by setting the TOKEN_FORMAT variable to a value of | ||
58 | "UUID" and recompile. ie. Change the line TOKEN_FORMAT ?= "PKI" to | ||
59 | TOKEN_FORMAT="UUID" in the python-keyston_git.bb file. | ||
60 | |||
61 | |||
62 | Security Implications | ||
63 | ===================== | ||
64 | |||
65 | * UUID tokens are shorter in length then UUID tokens, thus they are more | ||
66 | susceptible to brute force attacks. | ||
67 | * Changing Keystone to use UUID tokens affects all system services that | ||
68 | rely on Keystone (for example, the Horizon web interface) | ||
69 | |||